AN OPEN LETTER TO CEOs AND BOARD DIRECTORS ON DATA PRIVACY DAY
Dear CEOs and Board Directors:
Have you heard about Data Privacy Day?
On January 28, 2007, Europe launched its first Data Protection Day. Two years later on January 28th, Data Privacy Day was launched in Canada and the United States. Over the 11 years since, this day has grown in significance as countries around the world raise awareness about the importance of promoting privacy and data protection best practices.
This year’s Data Privacy Day theme is: Respecting privacy, safeguarding data and enabling trust. It’s a perfect day for you to take stock of how you and your organization are treating with the private and sensitive data you handle.
The era of the data breach
Cyberattacks are growing year over year in number and impact.
A study commissioned by Bromium and presented at the RSA conference in 2018 estimated that the cybercrime industry is generating $1.5 trillion in illicit profits each year; and it’s growing. Isn’t this figure staggering? Just in the past year organizations like Capital One, Facebook and Ecuadorian National Bank were amongst the companies that fell prey to exploits that exposed the data of millions of consumers.
The first question that may come to mind is: Can this happen to us too? The answer is “yes”. Security experts widely opine that it’s not if it will happen to your company, it’s when.
Many of the breaches are landing a solid punch on business operations. Up to 60% of the impacted companies are said to go out of business within six months after a major data breach. And the average company finds it difficult to recover from this type of business disruption because of the severe consequences they suffer: data loss, lost business, loss of customer confidence, damage to brand and financial losses, inter-alia.
The scary thing is that these data attacks can happen to you too.
Information Security (infosec) & Privacy
If this all makes you more than a tad uncomfortable, that’s good. You may have already thought about these things, but is it on your radar in the Board Room? It needs to be there. Maybe you have just been relying on your IT people to get it right. That’s not an unusual response, however your IT people need your support and strategic leadership.
The rising risks of operating in the digital economy are demanding that you, the leaders of organizations, level up your game. Business today is very much about leveraging technology and data and this puts great importance on your governance role.
The market needs you to be bold in seeking a better understanding of the information security and privacy issues. That will then equip you to execute your information governance role of setting policy and deploying the resources necessary to protect your data and safeguard the privacy of your constituents.
In all this, let’s not lose sight of the fact that privacy is a fundamental right recognized in the UN Declaration of Human Rights. The duty to protect the personal identifiable information of our employees, customers and other constituents is therefore an obligation that every well-thinking company will want to observe in the digital economy. It’s just good business to do so, and poor judgment to do otherwise.
If you’re convinced that the threat is real, you will also appreciate that there’s much work to be done to up-level the Board Room governance on matters relating to cybersecurity, data protection and privacy. The work therefore is to figure out what should be the nature of the leadership and oversight that you, your fellow directors and c-suite leaders should be providing to manage and mitigate the risks.
And remember it’s not just about securing the information. You also have an obligation to protect the privacy of those who share their information with you.
The four questions that you will want to immediately put to management about data breaches and security incidents are:
- How are you preventing them? Human error is a major contributor to data breaches. You may hear about password management and prompt installation of patches. However the response you get should also include a reference to user awareness training.
- How are you detecting them? The response should include mention of antivirus software, and maybe even penetration testing.
- How are you responding to them? The response should include a reference to incident report or breach response plan. You may also hear of cybersecurity insurance in place to mitigate losses.
- How are you reporting on them? You want to know the metrics shared, to whom, and with what frequency. And what follow up measures are taken as a consequence of information shared.
Champion this cause and your customers and employees will love you!
Securely yours …and best always!
A Cecile Watson (CDP)*
Chief Executive Officer
[email protected] | *CDP – certified in data protection
P.S. Look out for my follow-up message providing key considerations to start engaging on Information Governance at the Board Level
ShredWIZ specializes in data protection and risk mitigation. We work with governments and businesses in the Caribbean to develop security conscious workforces and robust cyber resilience cultures, offering services that include data protection governance, security awareness training, cybersecurity education and secure document & digital media destruction. Learn more at shredwiz.com.